From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] squid: Update to 6.6
Date: Tue, 19 Dec 2023 19:20:06 +0100
Message-ID: <ba6b855a-b0f4-4220-a100-26c1819fd4fd@ipfire.org>
In-Reply-To: <A29913E1-7F5C-4F78-9D55-44CD2C715893@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2776799968332387071=="
List-Id: <development.lists.ipfire.org>

--===============2776799968332387071==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I would recommend updating squid as soon as possible because of
CVE-2023-50269.

=3D> https://nvd.nist.gov/vuln/detail/CVE-2023-50269

"...Due to an Uncontrolled Recursion bug in versions 2.6 through
2.7.STABLE9, versions 3.1 through 5.9, and versions 6.0.1 through 6.5,
Squid may be vulnerable to a Denial of Service attack against HTTP
Request parsing. This problem allows a remote client to perform Denial
of Service attack by sending a large X-Forwarded-For header when the
follow_x_forwarded_for feature is configured. This bug is fixed by Squid
version 6.6..."

As far as I can see, we don't use this feature, but... ;-)

Jm2c,
Matthias

On 11.12.2023 20:41, Michael Tremer wrote:
> Thank you for the patch and review.
>=20
> Is there any urgency here to include this in the update that is currently i=
n testing? Considering that latest history of vulnerabilities in squid, I am =
happy to ship any fixes as soon as possible.
>=20
> -Michael
>=20
>> On 9 Dec 2023, at 22:05, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>>=20
>> Reviewed-by: Adolf Belka <adolf.belka(a)ipfire.org>
>>=20
>> On 09/12/2023 08:56, Matthias Fischer wrote:
>>> For details see:
>>> https://github.com/squid-cache/squid/commits/v6
>>>=20
>>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>>> ---
>>>  lfs/squid | 4 ++--
>>>  1 file changed, 2 insertions(+), 2 deletions(-)
>>>=20
>>> diff --git a/lfs/squid b/lfs/squid
>>> index d92341794..c0f465c16 100644
>>> --- a/lfs/squid
>>> +++ b/lfs/squid
>>> @@ -24,7 +24,7 @@
>>>    include Config
>>>  -VER        =3D 6.5
>>> +VER        =3D 6.6
>>>    THISAPP    =3D squid-$(VER)
>>>  DL_FILE    =3D $(THISAPP).tar.xz
>>> @@ -46,7 +46,7 @@ objects =3D $(DL_FILE)
>>>    $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>>>  -$(DL_FILE)_BLAKE2 =3D 91ed91f9b0f56f440a7f15a63bbc3e19537b60bc8b31b5bf7=
e16884367d0da060c5490e1721dbd7c5fce7f4a4e958fb3554d6bdc5b55f568598f907722b651=
de
>>> +$(DL_FILE)_BLAKE2 =3D 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4ff4405d79=
63a643c6766344e6492505bc1b33f3040ad800b3d7a3ad6a4b067b031ac4d178ddcac04c6e74dc
>>>    install : $(TARGET)
>>> =20
>=20


--===============2776799968332387071==--